PT-2023-18680 · Discourse · Discourse

Pmusaraj

Published

2023-01-26

Updated

2024-03-06

CVE-2023-22739

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.0.1 Discourse version 3.1.0.beta2 and earlier

Description Discourse is an open source platform for community discussion. The issue is related to Allocation of Resources Without Limits or Throttling, where a malicious user can create an arbitrarily large draft, forcing the instance to a crawl, as there is no limit on data contained in a draft.

Recommendations For versions prior to 3.0.1, update to version 3.0.1 or later. For version 3.1.0.beta2 and earlier, update to version 3.1.0.beta2 or later. As a temporary workaround, consider restricting the ability to create large drafts until a patch is applied.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BIT-DISCOURSE-2023-22739

CVE-2023-22739

GHSA-RQGR-G6V7-JCFC

Affected Products

Discourse

PT-2023-18680 · Discourse · Discourse

CVE-2023-22739

Weakness Enumeration

Related Identifiers

Affected Products

References · 6